±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35535
New Yesterday: 0 Visitors: 154

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

A scale of confidence for digital evidence

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

DCS1094
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Feb 01, 19 10:22

- tracedf
I think the correct answer is to say that you did not find evidence to support the contention that X opened folder A. That doesn't mean it didn't happen, but you don't have evidence of it. Absence of evidence is not necessarily evidence of absence.

There are times when there are multiple possible explanations or where connections are circumstantial. The best approach is to be honest and acknowledge competing possibilities without trying to lock into a 100% yes or no answer if you don't feel comfortable doing so.


Agreed. I had a case recently where I decoded data from infotainment system log files. Upon review of the log data, there was a gap within the entries on a solid 1 month period (which covered the incident timeframe), albeit other data from that period was on the system still.

Because the log data was missing, it was indicated to me that the owner of the vehicle must have done this. In reality, there could be a whole host of reasons... from retention periods of logs, size of log files max out, to user actions, to faults within the system. I simple suggested various reasons from my experience of what I have encountered on other systems, however not possible to narrow down 100% despite testing.  
 
  

passcodeunlock
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Feb 01, 19 12:36

There is only one answer for this: EVIDENCE IS MISSING!

When in the world will the digital forensic experts and analysts learn not to play with other people's life based on their (not so sure) assumptions ?!

This whole "confidence scale" around digital evidence is bullsh!t, it should be deleted forever from FF, it has only negative effects.

I'm quiet on this topic from now on.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

pcstopper18
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Feb 01, 19 13:37

- passcodeunlock
There is only one answer for this: EVIDENCE IS MISSING!

When in the world will the digital forensic experts and analysts learn not to play with other people's life based on their (not so sure) assumptions ?!

This whole "confidence scale" around digital evidence is bullsh!t, it should be deleted forever from FF, it has only negative effects.

I'm quiet on this topic from now on.


I am unable to see where you came to such a conclusion as to the OP's intent and then using it as a means to smear everyone else in general. He is clearly trying to discern how to do things better, which is the exact opposite of your unhelpful rant. How about explaining what these "negative effects" are so the OP and the others engaging in discussion here actually have a real critique to process?
_________________
Preston Coleman, MFS, GCFE, EnCE

"The only thing necessary for the triumph of evil is for good men to do nothing" - Edmund Burke 
 
  

jaclaz
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Feb 01, 19 15:57

If I may, when it comes to things for which there is not a definite proof, the duck test:
If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.

remains valid, BUT ONLY in the slightly amended version by Douglas Adams:

If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family Anatidae on our hands.


More specifically, if it is undeniable that a given behaviour (let's say writing a MS Word document containing the word "palimpsestuous", saving it, copying it on a USB stick and then deleting it from the internal hard disk) leaves a specific, known, set of traces *like*:
1) some metadata in the actual file (found on a USB stick)
2) a temp file of some kind (on the internal disk)
3) a deleted record in the $MFT (or similar) for that file (filename) (on the internal disk)
4) fragments of text corresponding to the contents of that file in unallocated space (on the internal hard disk)
5) some entry in some system log recording activity in Word in the exact date/time of the creation of the file
6) some entry in some system log about the connection at the exact date/time of the saving of the file of a USB device with the same serial/UUID/whatever as the USB stick at hand

IF ALL 6 the above are found and match, we have undeniably 100% proof.

IF we ONLY have 1, 2 and 3 or ONLY 1,3 and 4 maybe we have as well if not 100%, at least 99% proof.

IF we have ONLY 1, 5 and 6 then we definitely don't have 100% nor 99% proof but we do have enough data to highlight the coincidences (particularly if the MS Word program is actually very rarely used on the machine) and consider the possibility that the document was written on that machine.

AND IF we find that internet history is showing web searches for palimpsest and palimpsestuous around the time the document was created/saved THEN we may have enough to state that it is highly probable that the document was written on that PC.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

tootypeg
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Feb 05, 19 21:17

Some interesting points.

Jaclaz, your point above is a scenario where a scale of confidence surely would be of benefit. How we quantify value - i dont know yet. But as you say, there are clear degrees of being able to say something is there/not there.

Passcode - your only answer of 'evidence is missing'. Surely the very phrase is miss leading and suggests that there has been some form of malicious/intentional removal of evidential content. Do you mean data to support the hypothesis is missing?

Trewmte - thanks for your input, this is something that I had not considered.



I think the problem we have is not using a scale of confidence but defining one properly so we can use it suitably in DF...or at least just my thoughts anyway. If you are asked to give your opinion on something (which does happen), then surely the strength of your opinion should in some way be quantified.  
 
  

tootypeg
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Mar 06, 19 15:06

Hi all,

Sorry to bring this back to life, but I have still been picking away at this and have come up with the following 'scale':

Link to my Scale Image

I tried to upload the image on FF but it wouldn't let me so the image is just hosted on my Google Drive. I know people including me arnt keen on clicking links but I've been a member here for over 10 years, the link is legit Very Happy


I guess its maybe less of a scale and more of clarification of language? Not sure anyway, but wnated to throw it out there for you guys to comment if you wish  
 
  

jaclaz
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Mar 06, 19 17:00

- tootypeg

I guess its maybe less of a scale and more of clarification of language? Not sure anyway, but wnated to throw it out there for you guys to comment if you wish

I still believe that the order is "wrong".

The two extremes are (should be logically)
1 Conclusive Fact (i.e. proof that something happened and could ONLY happen in a given way/sequence/method or with a given cause)
and
5 Impossible (i.e. proof that something did NOT happen or that could not possibly happen in any known way/sequence/method or with a known cause).

#6 Insufficient information should be be between #3 Conceivable and #4 Implausible, as I see it "Insufficient information" is "neutral" between the two above mentioned extremes.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 4 of 5
Page Previous  1, 2, 3, 4, 5  Next